Transport layer signaling security with next generation firewall

ABSTRACT

Techniques for transport layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for transport layer signaling with next generation firewall includes monitoring transport layer signaling traffic on a service provider network at a security platform; and filtering the transport layer signaling traffic at the security platform based on a security policy.

CROSS REFERENCE TO OTHER APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/863,897 entitled TRANSPORT LAYER SIGNALING SECURITY WITH NEXTGENERATION FIREWALL filed Apr. 30, 2020, which is a continuation of U.S.patent application Ser. No. 15/895,942, now U.S. Pat. No. 10,693,838,entitled TRANSPORT LAYER SIGNALING SECURITY WITH NEXT GENERATIONFIREWALL filed Feb. 13, 2018, both of which are incorporated herein byreference for all purposes.

BACKGROUND OF THE INVENTION

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device or a set of devices, or software executedon a device, such as a computer, that provides a firewall function fornetwork access. For example, firewalls can be integrated into operatingsystems of devices (e.g., computers, smart phones, or other types ofnetwork communication capable devices). Firewalls can also be integratedinto or executed as software on computer servers, gateways,network/routing devices (e.g., network routers), or data appliances(e.g., security appliances or other types of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies. Forexample, a firewall can filter inbound traffic by applying a set ofrules or policies. A firewall can also filter outbound traffic byapplying a set of rules or policies. Firewalls can also be capable ofperforming basic routing functions.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1A is a block diagram of a 3G wireless network with a securityplatform for providing enhanced security in accordance with someembodiments.

FIG. 1B is a block diagram of a 4G/LTE wireless network with a securityplatform for providing enhanced security in accordance with someembodiments.

FIG. 2A is an example of GTPv1-C messages exchanged between an SGSN anda GGSN in a 3G network in accordance with some embodiments.

FIG. 2B is an example of GTPv2-C messages exchanged between entitiesincluding an MME, SGW, and a PGW in a 4G/LTE network in accordance withsome embodiments.

FIG. 3A is another example of a GTPv1-C message flow between an SGSN anda GGSN in a 3G network in accordance with some embodiments.

FIG. 3B is another example of a GTPv2-C message flow between an MME,SGW, and a PGW in a 4G/LTE network in accordance with some embodiments.

FIG. 4A is a block diagram of a 4G/LTE wireless network with a securityplatform for providing Diameter over SCTP security with next generationfirewall in mobile networks for service providers in accordance withsome embodiments.

FIG. 4B is a block diagram of a 4G/LTE wireless network with a securityplatform for providing SIGTRAN security with next generation firewall inmobile networks for service providers in accordance with someembodiments.

FIG. 4C is a block diagram of a 4G/LTE wireless network with a securityplatform for providing SCCP security with next generation firewall inmobile networks for service providers in accordance with someembodiments.

FIG. 4D is a block diagram of a 4G/LTE wireless network with a securityplatform for providing OSI layer 7 signaling security with nextgeneration firewall in mobile networks for service providers inaccordance with some embodiments.

FIG. 4E illustrates an example signaling protocol stack.

FIG. 4F illustrates an example of the SS7 over IP protocol stack.

FIG. 5A is an example signaling attack with a MAP message that can beprevented to provide enhanced security for mobile/service providernetworks using a security platform for security policy enforcement inaccordance with some embodiments.

FIG. 5B is another example signaling attack with a MAP message that canbe prevented to provide enhanced security for mobile/service providernetworks using a security platform for security policy enforcement inaccordance with some embodiments.

FIG. 5C is another example signaling attack with a MAP message that canbe prevented to provide enhanced security for mobile/service providernetworks using a security platform for security policy enforcement inaccordance with some embodiments.

FIG. 6 is a functional diagram of hardware components of a networkdevice for performing security policy enforcement on mobile/serviceprovider network environments in accordance with some embodiments.

FIG. 7 is a functional diagram of logical components of a network devicefor performing security policy enforcement on mobile/service providernetwork environments in accordance with some embodiments.

FIG. 8 is a flow diagram of a process for performing transport layersignaling based security in mobile networks for service providers inaccordance with some embodiments.

FIG. 9 is a flow diagram of a process for performing application layersignaling based security in mobile networks for service providers inaccordance with some embodiments.

FIG. 10 is a flow diagram of a process for performing network layersignaling based security in mobile networks for service providers inaccordance with some embodiments.

FIG. 11 is a flow diagram of a process for performing Diameter overSCTP-based security in mobile networks for service providers inaccordance with some embodiments.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a composition of matter; a computerprogram product embodied on a computer readable storage medium; and/or aprocessor, such as a processor configured to execute instructions storedon and/or provided by a memory coupled to the processor. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention. Unless stated otherwise, a component such as aprocessor or a memory described as being configured to perform a taskmay be implemented as a general component that is temporarily configuredto perform the task at a given time or a specific component that ismanufactured to perform the task. As used herein, the term ‘processor’refers to one or more devices, circuits, and/or processing coresconfigured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device, a set of devices, or software executedon a device that provides a firewall function for network access. Forexample, a firewall can be integrated into operating systems of devices(e.g., computers, smart phones, or other types of network communicationcapable devices). A firewall can also be integrated into or executed assoftware applications on various types of devices or security devices,such as computer servers, gateways, network/routing devices (e.g.,network routers), or data appliances (e.g., security appliances or othertypes of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies (e.g.,network policies or network security policies). For example, a firewallcan filter inbound traffic by applying a set of rules or policies toprevent unwanted outside traffic from reaching protected devices. Afirewall can also filter outbound traffic by applying a set of rules orpolicies (e.g., allow, block, monitor, notify or log, and/or otheractions can be specified in firewall/security rules or firewall/securitypolicies, which can be triggered based on various criteria, such asdescribed herein). A firewall may also apply anti-virus protection,malware detection/prevention, or intrusion protection by applying a setof rules or policies.

Security devices (e.g., security appliances, security gateways, securityservices, and/or other security devices) can include various securityfunctions (e.g., firewall, anti-malware, intrusion prevention/detection,proxy, and/or other security functions), networking functions (e.g.,routing, Quality of Service (QoS), workload balancing of network relatedresources, and/or other networking functions), and/or other functions.For example, routing functions can be based on source information (e.g.,source IP address and port), destination information (e.g., destinationIP address and port), and protocol information.

A basic packet filtering firewall filters network communication trafficby inspecting individual packets transmitted over a network (e.g.,packet filtering firewalls or first generation firewalls, which arestateless packet filtering firewalls). Stateless packet filteringfirewalls typically inspect the individual packets themselves and applyrules based on the inspected packets (e.g., using a combination of apacket's source and destination address information, protocolinformation, and a port number).

Application firewalls can also perform application layer filtering(e.g., using application layer filtering firewalls or second generationfirewalls, which work on the application level of the TCP/IP stack).Application layer filtering firewalls or application firewalls cangenerally identify certain applications and protocols (e.g., webbrowsing using HyperText Transfer Protocol (HTTP), a Domain Name System(DNS) request, a file transfer using File Transfer Protocol (FTP), andvarious other types of applications and other protocols, such as Telnet,DHCP, TCP, UDP, and TFTP (GSS)). For example, application firewalls canblock unauthorized protocols that attempt to communicate over a standardport (e.g., an unauthorized/out of policy protocol attempting to sneakthrough by using a non-standard port for that protocol can generally beidentified using application firewalls).

Stateful firewalls can also perform stateful-based packet inspection inwhich each packet is examined within the context of a series of packetsassociated with that network transmission's flow of packets/packet flow(e.g., stateful firewalls or third generation firewalls). This firewalltechnique is generally referred to as a stateful packet inspection as itmaintains records of all connections passing through the firewall and isable to determine whether a packet is the start of a new connection, apart of an existing connection, or is an invalid packet. For example,the state of a connection can itself be one of the criteria thattriggers a rule within a policy.

Advanced or next generation firewalls can perform stateless and statefulpacket filtering and application layer filtering as discussed above.Next generation firewalls can also perform additional firewalltechniques. For example, certain newer firewalls sometimes referred toas advanced or next generation firewalls can also identify users andcontent. In particular, certain next generation firewalls are expandingthe list of applications that these firewalls can automatically identifyto thousands of applications. Examples of such next generation firewallsare commercially available from Palo Alto Networks, Inc. (e.g., PaloAlto Networks' PA Series next generation firewalls and Palo AltoNetworks' VM Series virtualized next generation firewalls).

For example, Palo Alto Networks' next generation firewalls enableenterprises and service providers to identify and control applications,users, and content—not just ports, IP addresses, and packets—usingvarious identification technologies, such as the following: App-ID™(e.g., App ID) for accurate application identification, User-ID™ (e.g.,User ID) for user identification (e.g., by user or user group), andContent-ID™ (e.g., Content ID) for real-time content scanning (e.g.,controls web surfing and limits data and file transfers). Theseidentification technologies allow enterprises to securely enableapplication usage using business-relevant concepts, instead of followingthe traditional approach offered by traditional port-blocking firewalls.Also, special purpose hardware for next generation firewallsimplemented, for example, as dedicated appliances generally provideshigher performance levels for application inspection than softwareexecuted on general purpose hardware (e.g., such as security appliancesprovided by Palo Alto Networks, Inc., which utilize dedicated, functionspecific processing that is tightly integrated with a single-passsoftware engine to maximize network throughput while minimizing latencyfor Palo Alto Networks' PA Series next generation firewalls).

Technical and Security Challenges in Today's Mobile Networks for ServiceProviders

In today's service provider network environments, the service providercan typically only implement a static security policy for wirelessdevices communicating over the service provider's wireless network(e.g., the service provider cannot define a security/firewall policy ona per endpoint basis and/or a per flow basis for wireless devicescommunicating over the service provider's wireless network), and anychanges generally require network infrastructure updates. Further, intoday's service provider network environments, the service providergenerally cannot implement a security policy that is based on hardwareattributes or location information associated with the wireless devicesfor wireless devices communicating over the service provider's wirelessnetwork (e.g., the service provider cannot implement the security policybased on packet content inspection and/or based on various otherrelevant parameters associated with wireless devices, such as an accesspoint of a device communicating over the wireless network).

Thus, technical and security challenges with service provider networksexist. As such, what are needed are new and improved security techniquesfor such service provider network environments. Specifically, what areneeded are new and improved solutions for monitoring service providernetwork traffic and, more specifically, improved solutions for solvingsignaling traffic related security problems for service providernetworks, including, for example, performing packet content inspectionof various protocols used on various interfaces within GSM (GlobalSystem for Mobile Communication), UMTS (Universal MobileTelecommunications System), LTE (Long Term Evolution) networks, GTPv1-Cused in 3G networks, and/or GTPv2-C used in 4G/LTE networks, andapplying security policies (e.g., firewall policies) on service providernetworks to facilitate enhanced security for service provider networks.

Overview of Techniques for Enhanced Security in Mobile Networks forService Providers

Accordingly, techniques for enhanced security platforms within serviceprovider network environments are disclosed. Specifically, varioussystem architectures for implementing and various processes forproviding security platforms within service provider networkenvironments that can monitor various protocols used on variousinterfaces are disclosed. More specifically, various systemarchitectures for implementing and various processes for providingsecurity platforms within service provider network environments that canmonitor various protocols used on various interfaces within GSM (GlobalSystem for Mobile Communication), UMTS (Universal MobileTelecommunications System), LTE (Long Term Evolution) networks, GTPv1-Cused in 3G networks, and/or GTPv2-C used in 4G/LTE networks, andapplying security policies (e.g., firewall policies) on service providernetworks are disclosed. For example, the disclosed techniques facilitateapplying security policies based on an application, IP address, contentID, subscriber location, unique device identifier (e.g., InternationalMobile Equipment Identifier (IMEI) for a generally unique 3GPP deviceidentifier, such as for mobile phones for a Global System for MobileCommunications (GSM) network), unique subscriber identifier (e.g.,International Mobile Subscriber Identity (IMSI) for uniquely identifyinga GSM subscriber), Radio Access Technology (RAT) (e.g., for identifyingthe associated RAT for the mobile device), any other informationextracted from the decoded signaling traffic on a mobile serviceprovider network to solve signaling security problems and facilitateenhanced security on service provider networks (e.g., throttlingspecific messages/traffic to prevent/mitigate denial of service (DoS)attacks or to counter other attacks/vulnerabilities in one or moresignaling protocols), and/or any combination thereof using nextgeneration firewalls on service provider networks, such as furtherdescribed below.

In one embodiment, the security platform is configured to monitortraffic in the mobile core/service provider's core network (e.g.,including monitoring various protocols used for signaling traffic whichare specified in 3GPP releases of 3G networks, 3GPP releases of 4Gnetworks, and 3GPP releases of 5G networks) to perform packet contentinspection security monitoring techniques that can be utilized forapplying security policies based on information extracted from signalingmessages and/or user session traffic, as will be further describedbelow. For example, the security platform can be configured todynamically apply security policy per IP flow (e.g., persource/destination IP address(es)) for wireless devices. In an exampleimplementation, the security platform can be configured to dynamicallyapply security policy per IP flow for wireless devices by monitoringsignaling traffic (e.g., at one or more layers, such as transport,network, and/or application layers) on a mobile service provider networkand dynamically correlating the signaling layer(s) with the datalayer(s) security to facilitate enhanced security on the serviceprovider network (e.g., implementing a consolidated view into signalingand data layers security platform offering for various signalingprotocols including, for example, the following: Stream ControlTransport Protocol (SCTP) (a signaling transport layer protocolspecified in RFC 4960 available at https://tools.ietf.org/html/rfc4960),S1-APP/MME, Diameter (an authentication, authorization, and accountingsignaling protocol that can utilize SCTP for its signaling transportprotocol, and Diameter is specified in multiple RFCs of the InternetEngineering Task Force (IETF), including RFC 6733 available athttps://tools.ietforg/html/rfc6733), Mobile Application Part (MAP) (anSS7/application layer signaling protocol specified in ITU Q.2220available at http://www.itu.int/rec/T-REC-Q.2220/en/), CAMEL ApplicationPart (CAP) (an SS7/application layer signaling protocol specified in3GPP TS 29.078 available athttps://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1597), Intelligent Network Application Part (INAP) (anSS7/application layer signaling protocol specified in ETSI specificationETS 300 374-1 available athttp://www.etsi.org/deliver/etsi_i_ets/300300_300399/30037401/01_60/ets_30037401e01p.pdf),Signaling Control Connection Protocol (SCCP) (a signaling network layerprotocol that can utilize SCTP for its signaling transport protocol, andSCCP is specified in multiple ITU recommendations of the InternationalTelecom Union (ITU), including ITU Q.711 available athttp://www.itu.int/rec/T-REC-Q.711/en/ and ITU Q.714 available athttp://www.itu.int/rec/T-REC-Q.714/en/), and signaling transport(SIGTRAN) (a signaling transport layer protocol specified in RFC 2719available at https://tools.ietf.org/html/rfc2719), and GTPv2-C specifiedin 3GPP T.S. 29.274, and GTPv1-C specified in 3GPP T.S. 29.060).

When a mobile device attaches to the network (e.g., a 3GPP/LTE EPCnetwork), the anchor gateway (e.g., the Packet Data Network (PDN)Gateway or PGW in a 3GPP/LTE EPC network) will generally query a PolicyCharging Function and Control (PCRF) entity over the Gx interface todetermine the policy for that subscriber. The PCRF entity will send backto the PGW information about, for example, QoS, filters, and/or otherpolicy related information that is stored in the PCRF entity for thatsubscriber that is to be applied for this subscriber (e.g., the PCRFentity is generally used to manage/control bandwidth and QoS on wirelessnetworks; and the AAA server is generally used for authenticationpurposes on wireless networks).

In one embodiment, a security platform is configured to monitor the GTPcommunications between the SGSN and GGSN in the mobile core network(e.g., next generation firewall, which can monitor various GTP-Cmessages exchanged for activation, updating, and/or deactivation of theGTP sessions in the service provider's network as further describedbelow), and the security platform (e.g., a firewall (FW), a networksensor acting on behalf of the firewall, or another device/componentthat can implement security policies using the disclosed techniques) isconfigured to apply a security policy using one or more parametersextracted from the GTP-C messages as further described below. Thus,service providers, IoT device providers, and/or system integrators canuse the disclosed techniques to configure and enforce enhanced securitypolicies using one or more parameters extracted from the GTP-C messagesas further described below.

In one embodiment, a security platform is configured to monitor the GTPcommunications between the SGSN and GGSN in the mobile core network(e.g., next generation firewall, which can monitor GTP-U traffic duringGTP sessions in the service provider's network as further describedbelow), and the security platform (e.g., a firewall (FW), a networksensor acting on behalf of the firewall, or another device/componentthat can implement security policies using the disclosed techniques) isconfigured to apply a security policy using one or more parametersextracted from the GTP-C messages and based on the user session trafficmonitored by the security platform during the GTP session (e.g.,Application ID, Content ID, URL filtering, and/or other stateful packetinspection extracted from the user traffic during the GTP session) asfurther described below. Thus, service providers, IoT device providers,and/or system integrators can use the disclosed techniques to configureand enforce enhanced security policies using one or more parametersextracted from the GTP-C messages and information extracted from usertraffic in GTP sessions as further described below.

For example, service providers, IoT device providers, and/or systemintegrators can apply different security policies based on IMEI, IMSI,location, RAT, any other information extracted from the decodedsignaling traffic on a mobile service provider network, and/or anycombination thereof using next generation firewalls on service providernetworks, such as further described below. As another example, serviceproviders, IoT device providers, and/or system integrators can applydifferent security policies based on IMEI, IMSI, location, RAT, and/orany other information extracted from the decoded signaling traffic on amobile service provider network, based on monitored user traffic duringGTP sessions.

In one embodiment, a security platform (e.g., a firewall, a networksensor acting on behalf of the firewall, or another device/componentthat can implement security policies) is configured to use existing 3GPPto dynamically apply security policies (e.g., granular securitypolicies, which can be applied per subscriber (e.g., IMSI)/IP inreal-time, per mobile device (e.g., IMEI)/IP in real-time, persubscriber location/IP in real-time, per RAT/IP in real-time, and/or anycombinations thereof) as data calls are set-up and/or modified/updatedusing the disclosed techniques, such as further described below. Forexample, the security platform can be configured to dynamically applysecurity policy per IP flow for wireless devices.

In one embodiment, the signaling messages (e.g., messages exchanged foractivation, updating, and deactivation of tunneling sessions) in themobile core/service provider's core network are existing and/or standardmessages as used in current 3GPP EPC (e.g., GTP-C messages, such asGTPv1-C for 3G networks and GTPv2-C for 4G networks) and/or otherwireless network environments, and the security platform is configuredto monitor such messages to extract one or more parameters that can beutilized for applying security policies from these messages, as will befurther described below.

In one embodiment, the security platform is configured to monitor usersession traffic in tunneling sessions in the mobile core/serviceprovider's core network (e.g., GTP-U traffic) to perform packet contentinspection security monitoring techniques that can be utilized forapplying security policies based on the user session traffic, as will befurther described below.

In one embodiment, a security platform is configured to monitor sessions(e.g., including monitoring various protocols used for signaling trafficwhich are specified in 3GPP releases of 3G networks, 3GPP releases of 4Gnetworks, and 3GPP releases of 5G networks) to/from various networkelements in the service provider network to perform packet contentinspection security monitoring techniques that can be utilized forapplying security policies based on the session traffic, as will befurther described below.

In one embodiment, a subscriber/IP address is associated with (e.g.,mapped to) a security policy to facilitate security policy enforcementper IP flow using the security platform (e.g., a next generationfirewall (NGFW)). For example, the security platform can apply agranular security policy based on information extracted from thesignaling messages and/or user session traffic, as will be furtherdescribed below.

In one embodiment, the security platform (e.g., a next generationfirewall (NGFW)) monitors signaling transport traffic, including SCTPprotocol traffic. For example, the security platform can filter SCTPprotocol traffic, including performing stateful inspection, SCTPprotocol validation, and/or SCTP multi-chunk inspection (e.g.,configured in an SCTP protection security profile in a security policyimplemented by the security platform).

In one embodiment, the security platform (e.g., a next generationfirewall (NGFW)) monitors signaling transport traffic (e.g., signalingtransport traffic and higher layers of signaling traffic) on serviceprovider's core networks. For example, the security platform can filtersignaling transport traffic (e.g., SIGTRAN messages), includingperforming stateful inspection, SCTP protocol validation, and/or SCTPmulti-chunk inspection (e.g., configured in an SCTP protection securityprofile in a security policy implemented by the security platform).

In one embodiment, the security platform (e.g., a next generationfirewall (NGFW)) monitors upper layer signaling protocols. For example,the security platform can filter layer-7/application layer signalingprotocol layers (e.g., filtering per SSN, GT, and Opcode, includingsupport for filtering protocols used in a Signaling System No. 7 (SS7)network).

In one embodiment, the security platform (e.g., a next generationfirewall (NGFW)) monitors Diameter signaling traffic. For example, thesecurity platform can perform Diameter protocol filtering perApplication ID (e.g., example application IDs for Diameter filtering caninclude one or more of the following: Diameter Common Messages, DiameterBase Accounting, Diameter Credit Control, 3GPP 56a/S6d, 3GPP S9, 3GPPS13/S13′, 3GPP S6c, 3GPP Sh, and 3GPP Rx), Command Code (e.g., variouscommand codes, such as 3GPP-Update-Location for 3GPP Application ID:3GPP-S6a/S6d, Credit-Control for Application ID: 3GPP-S9,3Gpp-ME-Identity-Check for Application ID: 3GPP-S13, Credit-Control forApplication ID: Diameter Credit Control, etc.), and AVP (e.g., a rangeof range 0-16777215).

These and other embodiments and examples of techniques for providingsecurity platforms that facilitate enhanced signaling security onservice provider network environments are further described below.

Example System Architectures for Implementing Enhanced Security inMobile Networks for Service Providers

FIG. 1A is a block diagram of a 3G wireless network with a securityplatform for providing enhanced security in accordance with someembodiments. FIG. 1A is an example service provider network environmentfor a 3G network architecture that includes a 3G network (e.g., and canalso include Wired, Wi-Fi, 4G, 5G, and/or other networks (not shown inFIG. 1A)) to facilitate data communications for subscribers over theInternet and/or other networks. As shown in FIG. 1A, a Radio AccessNetwork (RAN) 130 is in communication with a mobile core network 120.RAN 130 can include Macro Cell(s) 142 in the wireless network, and smallcells, such as 3G Micro Cell(s) 144, 3G Pico Cell(s) 146, and 3G FemtoCells 148 in the wireless network. As shown, various User Equipment (UE)132, 134, and 136 can communicate using various cells in RAN 130.

As also shown in FIG. 1A, the small cells, shown as 3G Micro Cell(s)144, 3G Pico Cell(s) 146, and 3G Femto Cell(s) 148, are in networkcommunication with a Home Node B Gateway (HNB GW) 108 over IP Broadbandwireless network 140 and, in this example, the traffic ismonitored/filtered using a security platform 102 (e.g., a (virtual)device/appliance that includes a firewall (FW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) configuredto perform the disclosed security techniques as further described below.As also shown, Macro Cell(s) (NodeB) 142 is in network communicationwith the Radio Network Controller (RNC) 110, and the traffic ismonitored/filtered using a security platform 102 (e.g., a firewall (FW),a network sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below.

As also shown in FIG. 1A, HNB GW 108 and RNC 110 are each incommunication with a Packet Data Network (PDN) 122 via a Serving GPRSSupport Node (SGSN) 112 and a Gateway GPRS Support Node (GGSN) 114 of amobile (3G) core network 120 and with a Public Switched TelephoneNetwork (PSTN) 124 via a Mobile Switching Center (MSC) 116 of mobilecore network 120. As shown, the traffic passing through the mobile corenetwork between SGSN 112 and GGSN 114 of mobile core network 120 ismonitored/filtered using a security platform 102 (e.g., a firewall (FW),a network sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies using thedisclosed techniques) configured to perform the disclosed securitytechniques as further described below.

For example, various UE, such as the UE shown at 132, 134, and 136, caninclude mobile and/or stationary wireless network enabled devices thatcan communicate over RAN 130 to access PDN 122, such as a securitycamera (e.g., which may be in a fixed location), a watch, mobile/smartphone, tablet, laptop, computer/PC or other computing device (which maybe mobile or at a fixed location), an automobile, a baby monitor, athermostat, and/or various other network enabled computing devices(e.g., any device associated with the Internet of Things (IoT)). Varioususe case scenarios applying the disclosed security techniques towireless network enabled devices to facilitate new and enhanced securitywill be further described below.

Thus, in this example, a network architecture for performing thedisclosed security techniques for a 3G network implementation isprovided in which a security platform(s) can be provided to performtraffic monitoring and filtering to provide new and enhanced securitytechniques based on signaling and packet content inspection informationas further described below. As will now be apparent to one of ordinaryskill in the art in view of the disclosed embodiments, a securityplatform(s) can similarly be provided in various other locations withinthe network architecture (e.g., an inline, pass-through NGFW, such asshown by FW 102, and/or implemented as agents or virtual machines (VM)instances, which can be executed on existing devices in the serviceprovider's network, such as SGSN 112 and/or GGSN 114) and in variouswireless network environments, such as 3G, 4G, 5G, and/or other wirelessnetwork environments to perform the disclosed security techniques asfurther described below. As also described further below, the disclosedsecurity techniques can similarly be applied to roaming devices thatconnect to the mobile core of the wireless network environment.

FIG. 1B is a block diagram of a 4G/LTE wireless network with a securityplatform for providing enhanced security in accordance with someembodiments. FIG. 1B is an example service provider network environmentfor a 4G/Long Term Evolution (LTE) Evolved Packet Core (EPC) networkarchitecture that includes a 4G/LTE network (e.g., and can also includeWired, Wi-Fi, 3G, 5G, and/or other networks) to facilitate datacommunications for subscribers over the Internet and/or other networks.As shown in FIG. 1B, a Radio Access Network (RAN) 180 is incommunication with an Evolved Packet Core (EPC) network 170. RAN 180 caninclude LTE Macrocell(s) 192 in the wireless network, and small cells,such as LTE Microcell(s) 194, LTE Picocell(s) 196, and LTE Femtocells198 in the wireless network. As shown, various User Equipment (UE) 182,184, and 186 can communicate using various cells in RAN 180.

As also shown in FIG. 1B, Femtocell(s) 198 is in network communicationwith a Home eNode B Gateway (HeNB GW) 158 over IP Broadband wirelessnetwork 190, and, in this example, the traffic is monitored/filteredusing a security platform 156E (e.g., a (virtual) device/appliance thatincludes a firewall (FW), a network sensor acting on behalf of thefirewall, or another device/component that can implement securitypolicies using the disclosed techniques) configured to perform thedisclosed security techniques as further described below. As also shown,Macro Cell(s) 192 is in network communication with a Mobility ManagementEntity (MME) 160 and a Serving Gateway (SGW) 162, and the traffic ismonitored/filtered using a FW 156D, and, in this example, the traffic ismonitored/filtered using a security platform (e.g., a (virtual)device/appliance that includes a firewall (FW), a network sensor actingon behalf of the firewall, or another device/component that canimplement security policies using the disclosed techniques) configuredto perform the disclosed security techniques as further described below.

As also shown in FIG. 1B, HeNB GW 158 is in communication with a PacketData Network (PDN) 172 via SGW 162 and a PDN Gateway (PGW) 164 ofEvolved Packet Core (EPC) network 170. As shown, the traffic passingthrough the mobile core network between SGW 162 and GGSN/PGW 164 of EPC170 is monitored/filtered using a security platform 152 (e.g., a(virtual) device/appliance that includes a firewall (FW), a networksensor acting on behalf of the firewall, or another device/componentthat can implement security policies using the disclosed techniques)configured to perform the disclosed security techniques as furtherdescribed below.

For example, various UEs, such as UEs shown at 174, 176, 182, 184, and186, can include mobile and/or stationary wireless network enableddevices that can communicate over RAN 180, Untrusted Non-3GPP Wi-Fiaccess 177, and/or Trusted 3GPP Wi-Fi access 178, to access PDN 172 viaEPC 170 in which such communications can be monitored using securityplatforms 152, 156A, 156B, 156C, 156D, 156E, 156F, and/or 156G as shownin FIG. 1B (e.g., the security platforms can be located at variouslocations/interfaces within EPC 170 as shown in FIG. 1B) and as furtherdescribed below. Example UEs can include a security camera (e.g., whichmay be in a fixed location), a watch, mobile/smart phone, tablet,laptop, computer/PC or other computing device (which may be mobile or ata fixed location), an automobile, a baby monitor, a thermostat, and/orvarious other network enabled computing devices (e.g., any deviceassociated with the Internet of Things (IoT)). Various use casescenarios applying the disclosed security techniques to wireless networkenabled devices to facilitate new and enhanced security will be furtherdescribed below.

Thus, in this example, a network architecture for performing thedisclosed security techniques for a 4G/LTE EPC network implementation isprovided in which a security platform(s) can be provided to performtraffic monitoring and filtering to provide new and enhanced securitytechniques based on signaling and packet content inspection informationas further described below. As will now be apparent to one of ordinaryskill in the art in view of the disclosed embodiments, a securityplatform(s) can similarly be provided in various other locations withinthe network architecture (e.g., an inline, pass-through NGFW, such asshown by FW 152, and/or implemented as agents or virtual machines (VM)instances, which can be executed on existing devices in the serviceprovider's network, such as SGW 162 and/or PGW 164) and in variouswireless network environments, such as 3G, 4G, 5G, and/or other wirelessnetwork environments to perform the disclosed security techniques asfurther described below. As also described further below, the disclosedsecurity techniques can similarly be applied to roaming devices thatconnect to the mobile core of the wireless network environment.

FIG. 2A is an example of GTPv1-C messages exchanged between an SGSN anda GGSN in a 3G network in accordance with some embodiments.Specifically, FIG. 2A shows GTPv1-C messages exchanged for activating,updating, and deactivating GTP sessions between an SGSN 212 and a GGSN214 in a 3G network using a Gn/Gp interface. GTP is a standardizedprotocol that is based on the User Datagram Protocol (UDP).

Referring to FIG. 2A, a first message that is sent from SGSN 212 to GGSN214 is a Create PDP Context Request message as shown at 220. The CreatePDP Context Request message is a message to allocate a control and datachannel for a new network communication access request for a mobiledevice in a 3G network (e.g., to be provided with a tunnel for user IPpackets for network communications over a mobile service provider'snetwork). For example, the Create PDP Context Request message caninclude location, hardware identity (e.g., IMEI), subscriber identity(e.g., IMSI), and/or radio access technology (RAT) information in thenew network communication access request for the mobile device.

In one embodiment, the security platform monitors GTP-C messages in themobile core to extract certain information included within GTP-Cmessages based on a security policy (e.g., monitoring GTPv1-C messagesusing a pass through firewall/NGFW that is located between the SGSN andGGSN in the mobile core such as shown in FIG. 1A and/or between variousother elements/entities in the mobile core/EPC such as shown in FIG. 1B,or using a firewall/NGFW implemented as VM instances or agents executedon the SGSN, GGSN, SGW, PGW, and/or other entities in the mobile corenetwork/EPC). For example, the security platform can monitor GTP-Cmessages and extract location, hardware identity (e.g., IMEI),subscriber identity (e.g., IMSI), and/or radio access technology (RAT)from the Create PDP Request message, such as further described below.

As shown in FIG. 2A, GGSN 214 sends a Create PDP Context Responsemessage as shown at 222 to SGSN 212 to indicate whether the Create PDPContext Request is granted or not for the mobile device (e.g., whetherto allow tunneled user data traffic in the mobile core network for themobile device). The Create PDP Context Request and Create PDP ContextResponse messages sent using UDP communications on port 2123 are usedfor creating the PDP context as shown in FIG. 2A.

As also shown in FIG. 2A, an Update PDP Context Request message shown at224 and an Update PDP Context Response message shown at 226 areexchanged between the SGSN and GGSN. For example, Update PDP ContextRequest/Response messages sent using UDP communications on port 2123 canbe used to update one or more parameters for the connection/session.

Referring to FIG. 2A, in this example, the request for networkcommunication access for the mobile device on the mobile serviceprovider's network is allowed, and the SGSN sends a T-PDU message(s)shown at 228. For example, T-PDU message(s) can be used for mobile usernetwork communication (e.g., IP packets) inside the tunnel (e.g.,control/signaling messages are generally communicated on port 2123 usingthe GTP-C protocol, and user data messages are generally communicated onport 2152 using the GTP-U protocol). As shown at 230, T-PDU messagesgenerally include a GTP Header, IP Header, TCP Header, and HTTP payload.

As also shown in FIG. 2A, the PDP context is deleted after completion ofthe user data session. Specifically, the PDP context is deleted aftertransfer of the user data is completed and the SGSN and GGSN exchange aDelete PDP Context Request message as shown at 232 and a Delete PDPContext Response message as shown at 234. The Delete PDP Context Requestand Delete PDP Context Response messages sent using UDP communicationson port 2123 are used for deleting the PDP context as also shown in FIG.2A.

In one embodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as GTP-Ctraffic, and inspection of tunneled user traffic in service providernetworks, such as GTP-U traffic (e.g., using a security platform, suchas implemented using an NGFW that is capable of performing packetcontent inspection to identify an application ID, a user ID, a contentID, perform URL filtering, and/or other firewall/security policy forsecurity/threat detection/prevention). In one embodiment, the disclosedtechniques perform inspection of signaling/control traffic in serviceprovider networks, such as GTP-C traffic, to extract informationexchanged in the GTP-C traffic (e.g., parameters, such as locationinformation associated with the subscriber/mobile device, deviceID/IMEI, subscriber information/IMSI, and/or RAT, such as furtherdescribed below). In one embodiment, the disclosed techniques performinspection of signaling/control traffic in service provider networks,such as GTP-C traffic, to extract information exchanged in the GTP-Ctraffic (e.g., parameters, such as described above and further describedbelow) as well as to monitor tunneled user traffic in service providernetworks (e.g., using packet content inspection, such as described aboveand further described below).

In an example implementation, the security platform is configured tomonitor the respective interfaces of the SGSN and GGSN to monitorcontrol/signaling traffic (e.g., GTP-C messages) and tunneled usertraffic (GTP-U) to implement a security platform with GTP monitoringcapabilities that implements security policies, which can use, forexample, location information associated with the subscriber/mobiledevice, device ID/IMEI, subscriber information/IMSI, and/or RAT, such asfurther described below that can be extracted from control/signalingtraffic (e.g., GTP-C messages) as well as performing packet contentinspection for IP packets inside the tunnel (e.g., T-PDU), as furtherdescribed below. As described above, the locationinformation/parameters, hardware identity (e.g., IMEI), subscriberidentity (e.g., IMSI), and/or radio access technology (RAT), such asfurther described below, can be extracted from the Create PDP Requestmessage by the security platform, which can be stored (e.g., cached asassociated with the IP flow) for use in applying a security policy basedon this extracted information and/or in combination with packet contentinspection (e.g., including packet content inspection of SIGTRAN, SCTP,Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signaling protocoltraffic and/or various other network protocols used on service providernetworks), such as further described below.

FIG. 2B is an example of GTPv2-C messages exchanged between entitiesincluding an MME, SGW, and a PGW in a 4G/LTE network in accordance withsome embodiments. Specifically, FIG. 2B shows GTPv2-C messages exchangedfor an LTE Attach procedure with details of the GTPv2-C messagesexchanged between an MME 252, SGW 254, and a PDN-GW (PGW) 256 (e.g.,shown as a GGSN/PGW in FIG. 1B) in a 4G/LTE network. As discussed above,GTP is a standardized protocol that is based on the User DatagramProtocol (UDP).

Referring to FIG. 2B, various Diameter messages are sent from MME 252 toHome Subscriber Server (HSS) 258 and Equipment Identity Register (EIR)274, as well as between PGW 256 and PCRF 276 as shown at 264. In oneembodiment, various information/parameters, such as further describedbelow, can be extracted from such Diameter messages/session trafficbased on a security policy (e.g., monitoring Diameter messages using apass through firewall/NGFW that is located between the MME, SGW, PGW,HSS, EIR, and/or PCRF or using a firewall/NGFW implemented as VMinstances or agents executed on these entities, and/or other entities inthe mobile core network), which can be stored (e.g., cached asassociated with the IP flow) for use in applying a security policy basedon this extracted/monitored information and/or in combination withpacket content inspection of Diameter network protocol traffic, such asfurther described below.

As shown in FIG. 2B, a Create Session Request message is sent from MME252 to SGW 254 as shown at 260 and then from SGW 254 to PGW 256 as shownat 262. The Create Session Request message is a message to allocate acontrol and data channel for a new network communication access requestfor a mobile device in a 4G/LTE network (e.g., to be provided with atunnel for user IP packets for network communications over a mobileservice provider's network). For example, the GTP Create Session Requestmessage can include location, hardware identity (e.g., IMEI), subscriberidentity (e.g., IMSI), and/or radio access technology (RAT) informationin the new network communication access request for the mobile device.

In one embodiment, the security platform monitors GTP-C messages betweenthe MME, SGW, and PGW to extract certain information included withinGTP-C messages based on a security policy (e.g., monitoring GTPv2-Cmessages using a pass through firewall/NGFW that is located between theMME, SGW, and PGW or using a firewall/NGFW implemented as VM instancesor agents executed on the MME, SGW, and PGW, and/or other entities inthe mobile core network). For example, the security platform can monitorGTP-C messages and extract the location, hardware identity (e.g., IMEI),subscriber identity (e.g., IMSI), and/or radio access technology (RAT)from the Create Session Request message, such as further describedbelow.

As shown in FIG. 2B, after session establishment as shown at 264, PGW256 sends a Create Session Response message as shown at 266 to SGW 254and then from SGW 254 to MME 252 as shown at 268 to indicate whether theCreate Session Request is granted or not for the mobile device (e.g.,whether to allow tunneled user data traffic in the mobile core networkfor the mobile device). The Create Session Request and Create SessionResponse messages sent using UDP communications on port 2123 are usedfor creating the initial setup context for the session as shown in FIG.2B.

As also shown in FIG. 2B, a Modify Bearer Request message shown at 270and a Modify Bearer Response message shown at 272 are exchanged betweenthe MME, SGW, and PGW. For example, Modify Bearer Request/Responsemessages sent using UDP communications on port 2123 can be used toupdate one or more parameters for the connection/session.

In one embodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as GTP-Ctraffic, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/orother signaling protocol traffic, and inspection of tunneled usertraffic in service provider networks, such as GTP-U various othernetwork protocols used on service provider networks (e.g., using asecurity platform, such as implemented using an NGFW that is capable ofperforming packet content inspection to identify an application ID, auser ID, a content ID, perform URL filtering, and/or anotherfirewall/security policy for security/threat detection/prevention). Inone embodiment, the disclosed techniques perform inspection ofsignaling/control traffic in service provider networks, such as GTP-Ctraffic, to extract information exchanged in the GTP-C traffic (e.g.,parameters, such as location information associated with thesubscriber/mobile device, device ID/IMEI, subscriber information/IMSI,and/or RAT, such as further described below). In one embodiment, thedisclosed techniques perform inspection of signaling/control traffic inservice provider networks, such as GTP-C traffic, to extract informationexchanged in the GTP-C traffic (e.g., parameters, such as describedabove and further described below) as well as to monitor tunneled usertraffic in service provider networks (e.g., using packet contentinspection, such as described above and further described below).

In an example implementation, the security platform is configured tomonitor the respective interfaces of the MME, SGW, PGW, HSS, EIR, andPCRF to monitor control/signaling traffic (e.g., Diameter messages andGTP-C messages), tunneled user traffic (GTP-U), including packet contentinspection of GTP, SIGTRAN, SCTP, Diameter over SCTP, SCCP,CAP/MAP/INAP, and/or other signaling protocol traffic and/or variousother network protocols used on service provider networks to implement asecurity platform with GTP, SIGTRAN, SCTP, Diameter over SCTP, SCCP,CAP/MAP/INAP, and/or other signaling protocol traffic and/or variousother network traffic monitoring capabilities that implement securitypolicies, which can use, for example, parameters, such as locationinformation associated with the subscriber/mobile device, deviceID/IMEI, subscriber information/IMSI, and/or RAT, and/or any otherparameters/information that can be extracted from control/signalingtraffic (e.g., GTP-C messages and/or types of messages) as well asperforming packet content inspection for IP packets inside the tunneland packet content inspection packet content inspection of SIGTRAN,SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or other signalingprotocol traffic and/or various other network protocols used on serviceprovider networks, as further described below. As described above, thelocation information/parameters, hardware identity (e.g., IMEI),subscriber identity (e.g., IMSI), and/or radio access technology (RAT)can be extracted from the Create Session Request message by the securityplatform, which can be stored (e.g., cached as associated with the IPflow) for use in applying a security policy based on this extractedinformation and/or in combination with packet content inspection, suchas further described below.

The disclosed techniques are illustrated and generally described hereinwith respect to performing network traffic inspection of GTPv1-C andGTP-U, SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/orother signaling protocol traffic and/or various other network protocolsused on service provider networks in a 3G Mobile Packet Core (MPC) andin a 4G Evolved Packet Core (EPC) using the GTPv2-C and GTP-U protocols,SIGTRAN, SCTP, Diameter over SCTP, SCCP, CAP/MAP/INAP, and/or othersignaling protocol traffic and/or various other network protocols usedon service provider networks and/or can be similarly implemented inother mobile core networks/using other mobile network protocols (e.g.,such as for 5G core networks or other mobile networks/protocol) thatinclude location, device, subscriber, and/or RAT parameters/information(e.g., location information, hardware identity, subscriber identifierinformation, RAT type information and/or other user/device/networkspecific parameters in the respective protocols) and/or tunneled usertraffic on service provider networks for mobile device communications.

FIG. 3A is another example of a GTPv1-C message flow between an SGSN anda GGSN in a 3G network in accordance with some embodiments.Specifically, FIG. 3A shows GTPv1-C messages exchanged for a GTPv1-CCreate PDP Message flow between an SGSN 302 and a GGSN 304 in a 3Gnetwork.

Referring to FIG. 3A, a Create PDP Request message is sent from SGSN 302to GGSN 304 using the Gn/Gp interface as shown at 310. A Create PDPResponse message is sent from GGSN 304 to SGSN 302 using the Gn/Gpinterface as shown at 312.

FIG. 3B is another example of a GTPv2-C message flow between an MME,SGW, and a PGW in a 4G/LTE network in accordance with some embodiments.Specifically, FIG. 3B shows GTPv2-C messages exchanged for a GTPv2-CCreate Session Message flow between an MME 322, SGW 324, and a PDN-GW(PGW) 326 (e.g., shown as a GGSN/PGW in FIG. 1B) in a 4G/LTE network.

Referring to FIG. 3B, a Create Session Request message is sent from MME322 to SGW 324 using the S11 interface as shown at 330 and then from SGW324 to PGW 326 using the S5/S8 interface as shown at 332. A CreateSession Response message is sent from PGW 326 to SGW 324 using the S5/S8interface as shown at 334 and then from SGW 324 to MME 322 using the S11interface as shown at 336.

As will now be further described below, various information/parameters,such as location, hardware identity (e.g., IMEI), subscriber identity(e.g., IMSI), and/or radio access technology (RAT) can be extracted fromthe control/signaling traffic (e.g., GTPv1-C Create PDP Requestmessages, GTPv2-C Create Session Request messages, and/or othercontrol/signaling protocols/messages in a mobile core network) monitoredby the security platform, which can be stored (e.g., cached asassociated with the IP flow) for use in applying a security policy basedon this extracted information and/or in combination with packet contentinspection performed by the security platform on tunneled user datatraffic (e.g., GTP-U traffic and/or other tunneled user data protocolsin a mobile core network).

Techniques for Transport Layer Signaling Security with Next GenerationFirewall in Mobile Networks for Service Providers

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing transport layersignaling security (e.g., for the SIGTRAN protocol) in mobile networksfor service providers. For example, mobile service providers (e.g.,service providers of mobile networks, service providers of mobiledevices or IoTs, security service providers, or other entities thatprovide devices/services associated with using mobile networks) andMobile Virtual Network Operator (MVNO) providers can apply the disclosedtechniques to provide transport layer signaling based security to userdevices (e.g., mobile devices of subscribers) and/or IoT devices thatconnect to their mobile network using 3G, 4G, or 5G Radio AccessTechnology (RAT).

For example, mobile service providers (e.g., service providers of mobilenetworks, service providers of mobile devices or IoTs, security serviceproviders, or other entities that provide devices/services associatedwith using mobile networks) and MVNO providers can apply the disclosedtechniques to apply application layer signaling based security to theirnetwork elements in a 3G Mobile Packet Core (MPC), in a 4G EvolvedPacket Core (EPC), and/or in other mobile core networks (e.g., such asfor 5G core networks).

As another example, Internet Private Exchange (IPX) providers and GPRSRoaming Exchange (GRX) providers can apply the disclosed techniques toprovide application layer signaling based security to mobile serviceproviders (e.g., service providers of mobile networks, service providersof mobile devices or IoTs, security service providers, or other entitiesthat provide devices/services associated with using mobile networks)that take network interconnection services from them for 3G, 4G, and/or5G technologies.

As yet another example mobile service providers (e.g., service providersof mobile networks, service providers of mobile devices or IoTs,security service providers, or other entities that providedevices/services associated with using mobile networks) can apply thedisclosed techniques to provide application layer signaling basedsecurity to another mobile service providers (e.g., MVNO providers,service providers of mobile devices or IoT, security service providers,or other entities that provide devices/services associated with usingmobile networks) that take network connectivity services from them for3G, 4G, and/or 5G technologies.

In one embodiment, mobile service providers can apply the disclosedtechniques to provide new and enhanced transport layer signalingsecurity in mobile networks for service providers. For example, mobileservice providers can apply the disclosed techniques to provide atransport layer signaling based security service. As another example,mobile service providers can apply the disclosed techniques to provide atransport layer signaling based threat detection service (e.g., atransport layer signaling based, basic threat detection service forknown threats, a transport layer signaling based, advanced threatdetection service for unknown threats, and/or other threat detectionservices that can utilize transport layer signaling based information toapply security policies). As yet another example, mobile serviceproviders can apply the disclosed techniques to provide a transportlayer signaling based threat prevention service for known threats (e.g.,a transport layer signaling based, basic threat prevention service forknown threats, a transport layer signaling based, advanced threatprevention service for unknown threats, and/or other threat preventionservices that can utilize transport layer signaling based information toapply security policies).

Accordingly, the disclosed techniques for enhanced security in mobilenetworks for service providers include performing transport layersignaling based security and similarly for higher layers of signalingtraffic in mobile networks using a security platform that can implementsecurity policies based on filtered transport layer signalinginformation/messages or higher layer signaling information/messages(e.g., application signaling layers).

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can provide each of these transport layer signalingbased security services or combinations thereof as well as various othersignaling layers based security services using the disclosed techniques.Also, mobile service providers can apply the disclosed techniques toprovide such transport layer signaling based security services incombination with various other enhanced security services, such assubscriber/user identity based, hardware identity based, RAT based,and/or combinations thereof, as further described below.

These and other techniques for providing enhanced security in mobilenetworks for service providers based on transport layer signalinginformation/messages (e.g., and/or in combination with other packetcontent inspection and/or NGFW techniques, such as Application-ID, userID, content ID, URL filtering, etc.) will be further described below.

Techniques for Application Layer Signaling Security with Next GenerationFirewall in Mobile Networks for Service Providers

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing applicationlayer signaling security (e.g., for CAP, MAP, INAP, and/or otherlayer-7/application layer signaling protocols) in mobile networks forservice providers. For example, mobile service providers (e.g., serviceproviders of mobile networks, service providers of mobile devices orIoTs, security service providers, or other entities that providedevices/services associated with using mobile networks) and MVNOproviders can apply the disclosed techniques to provide applicationlayer signaling based security to user devices (e.g., mobile devices ofsubscribers) and/or IoT devices that connect to their mobile networkusing 3G, 4G, or 5G Radio Access Technology (RAT).

For example, mobile service providers (e.g., service providers of mobilenetworks, service providers of mobile devices or IoTs, security serviceproviders, or other entities that provide devices/services associatedwith using mobile networks) and MVNO providers can apply the disclosedtechniques to apply application layer signaling based security to theirnetwork elements in a 3G Mobile Packet Core (MPC), in a 4G EvolvedPacket Core (EPC), and/or in other mobile core networks (e.g., such asfor 5G core networks).

As another example, Internet Private Exchange (IPX) providers and GPRSRoaming Exchange (GRX) providers can apply the disclosed techniques toprovide application layer signaling based security to mobile serviceproviders (e.g., service providers of mobile networks, service providersof mobile devices or IoTs, security service providers, or other entitiesthat provide devices/services associated with using mobile networks)that take network interconnection services from them for 3G, 4G, and/or5G technologies.

As yet another example mobile service providers (e.g., service providersof mobile networks, service providers of mobile devices or IoTs,security service providers, or other entities that providedevices/services associated with using mobile networks) can apply thedisclosed techniques to provide application layer signaling basedsecurity to another mobile service providers (e.g., MVNO providers,service providers of mobile devices or IoT, security service providers,or other entities that provide devices/services associated with usingmobile networks) that take network connectivity services from them for3G, 4G, and/or 5G technologies.

In one embodiment, mobile service providers can apply the disclosedtechniques to provide new and enhanced application layer signalingsecurity in mobile networks for service providers. For example, mobileservice providers can apply the disclosed techniques to provide anapplication layer signaling based security service. As another example,mobile service providers can apply the disclosed techniques to providean application layer signaling based threat detection service (e.g., anapplication layer signaling based, basic threat detection service forknown threats, an application layer signaling based, advanced threatdetection service for unknown threats, and/or other threat detectionservices that can utilize application layer signaling based informationto apply security policies). As yet another example, mobile serviceproviders can apply the disclosed techniques to provide an applicationlayer signaling based threat prevention service for known threats (e.g.,an application layer signaling based, basic threat prevention servicefor known threats, an application layer signaling based, advanced threatprevention service for unknown threats, and/or other threat preventionservices that can utilize application layer signaling based informationto apply security policies).

Accordingly, the disclosed techniques for enhanced security in mobilenetworks for service providers include performing application layersignaling based security in mobile networks using a security platformthat can implement security policies based on filtered application layersignaling information/messages or lower layer signalinginformation/messages (e.g., transport and network signaling layers).

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can provide each of these application layer signalingbased security services or combinations thereof as well as various othersignaling layers based security services using the disclosed techniques.Also, mobile service providers can apply the disclosed techniques toprovide such application layer signaling based security services incombination with various other enhanced security services, such assubscriber/user identity based, hardware identity based, RAT based,and/or combinations thereof, as further described below.

These and other techniques for providing enhanced security in mobilenetworks for service providers based on application layer signalinginformation/messages (e.g., and/or in combination with other packetcontent inspection and/or NGFW techniques, such as Application-ID, userID, content ID, URL filtering, etc.) will be further described below.

Techniques for Network Layer Signaling Security with Next GenerationFirewall in Mobile Networks for Service Providers

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing network layersignaling security in mobile networks for service providers. Forexample, mobile service providers (e.g., service providers of mobilenetworks, service providers of mobile devices or IoTs, security serviceproviders, or other entities that provide devices/services associatedwith using mobile networks) and MVNO providers can apply the disclosedtechniques to provide SCCP-based security to user devices (e.g., mobiledevices of subscribers) and/or IoT devices that connect to their mobilenetwork using 3G, 4G, or 5G Radio Access Technology (RAT).

For example, mobile service providers (e.g., service providers of mobilenetworks, service providers of mobile devices or IoTs, security serviceproviders, or other entities that provide devices/services associatedwith using mobile networks) and MVNO providers can apply the disclosedtechniques to apply application layer signaling based security to theirnetwork elements in a 3G Mobile Packet Core (MPC), in a 4G EvolvedPacket Core (EPC), and/or in other mobile core networks (e.g., such asfor 5G core networks).

As another example, Internet Private Exchange (IPX) providers and GPRSRoaming Exchange (GRX) providers can apply the disclosed techniques toprovide application layer signaling based security to mobile serviceproviders (e.g., service providers of mobile networks, service providersof mobile devices or IoTs, security service providers, or other entitiesthat provide devices/services associated with using mobile networks)that take network interconnection services from them for 3G, 4G, and/or5G technologies.

As yet another example mobile service providers (e.g., service providersof mobile networks, service providers of mobile devices or IoTs,security service providers, or other entities that providedevices/services associated with using mobile networks) can apply thedisclosed techniques to provide application layer signaling basedsecurity to another mobile service providers (e.g., MVNO providers,service providers of mobile devices or IoT, security service providers,or other entities that provide devices/services associated with usingmobile networks) that take network connectivity services from them for3G, 4G, and/or 5G technologies.

In one embodiment, mobile service providers can apply the disclosedtechniques to provide new and enhanced network layer signaling securityin mobile networks for service providers. For example, mobile serviceproviders can apply the disclosed techniques to provide network layersignaling based security service. As another example, mobile serviceproviders can apply the disclosed techniques to provide network layersignaling based threat detection service (e.g., an SCCP-based, basicthreat detection service for known threats, a network layer signalingbased, advanced threat detection service for unknown threats, and/orother threat detection services that can utilize SCCP-based informationto apply security policies). As yet another example, mobile serviceproviders can apply the disclosed techniques to provide a network layersignaling based threat prevention service for known threats (e.g., anSCCP-based, basic threat prevention service for known threats, anSCCP-based, advanced threat SCCP service for unknown threats, and/orother threat prevention services that can utilize SCCP-based informationto apply security policies).

Accordingly, the disclosed techniques for enhanced security in mobilenetworks for service providers include performing network layersignaling based security in mobile networks using a security platformthat can implement security policies based on filtered network layersignaling information/messages (e.g., SCCP information/messages) orlower/higher layer signaling information/messages.

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can provide each of these network layer signaling basedsecurity services or combinations thereof as well as various othersignaling layers based security services using the disclosed techniques.Also, mobile service providers can apply the disclosed techniques toprovide such network layer signaling based security services incombination with various other enhanced security services, such assubscriber/user identity based, hardware identity based, RAT based,and/or combinations thereof, as further described below.

These and other techniques for providing enhanced security in mobilenetworks for service providers based on network layer signalinginformation/messages (e.g., and/or in combination with other packetcontent inspection and/or NGFW techniques, such as Application-ID, userID, content ID, URL filtering, etc.) will be further described below.

Techniques for Diameter over SCTP Security with Next Generation Firewallin Mobile Networks for Service Providers

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include techniques for Diameterover SCTP security with next generation firewall in mobile networks forservice providers. For example, mobile service providers and MVNOproviders can apply the disclosed techniques to provide Diameter overSCTP security (e.g., in combination with Application-ID using an NGFW)to user devices that connect to their mobile network via 3G, 4G, or 5Gnetworks.

For example, mobile service providers (e.g., service providers of mobilenetworks, service providers of mobile devices or IoTs, security serviceproviders, or other entities that provide devices/services associatedwith using mobile networks) and MVNO providers can apply the disclosedtechniques to apply application layer signaling based security to theirnetwork elements in a 3G Mobile Packet Core (MPC), in a 4G EvolvedPacket Core (EPC), and/or in other mobile core networks (e.g., such asfor 5G core networks).

As another example, Internet Private Exchange (IPX) providers and GPRSRoaming Exchange (GRX) providers can apply the disclosed techniques toprovide application layer signaling based security to mobile serviceproviders (e.g., service providers of mobile networks, service providersof mobile devices or IoTs, security service providers, or other entitiesthat provide devices/services associated with using mobile networks)that take network interconnection services from them for 3G, 4G, and/or5G technologies.

As yet another example mobile service providers (e.g., service providersof mobile networks, service providers of mobile devices or IoTs,security service providers, or other entities that providedevices/services associated with using mobile networks) can apply thedisclosed techniques to provide application layer signaling basedsecurity to another mobile service providers (e.g., MVNO providers,service providers of mobile devices or IoT, security service providers,or other entities that provide devices/services associated with usingmobile networks) that take network connectivity services from them for3G, 4G, and/or 5G technologies.

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include providing Diameter overSCTP security in mobile networks for service providers. For example,mobile service providers can apply the disclosed techniques to provideDiameter over SCTP security services to user devices (e.g., mobiledevices of subscribers) and/or IoT devices that connect to their mobilenetwork.

In one embodiment, mobile service providers can apply the disclosedtechniques to provide new and enhanced Diameter over SCTP securityservices. For example, mobile service providers can apply the disclosedtechniques to provide a Diameter over SCTP based security service. Asanother example, mobile service providers can apply the disclosedtechniques to provide a threat detection service using informationextracted from Diameter over SCTP (e.g., a Diameter over SCTP based,basic threat detection service for known threats, a Diameter overSCTP-based, advanced threat detection service for unknown threats,and/or other threat detection services that can utilize Diameter overSCTP decoded/extracted information to apply security policies). As yetanother example, mobile service providers can apply the disclosedtechniques to provide a threat prevention service for known threatsusing information extracted from Diameter over SCTP (e.g., a Diameterover SCTP-based, basic threat prevention service for known threats, aDiameter over SCTP-based, advanced threat prevention service for unknownthreats, and/or other threat prevention services that can utilizeDiameter over SCTP decoded/extracted information to apply securitypolicies).

In one embodiment, the disclosed techniques for enhanced security inmobile networks for service providers include performing Diameter overSCTP-based security in mobile networks using a security platform thatcan implement security policies based on Diameter over SCTPdecoded/extracted information. For example, a security platform canmonitor Diameter over SCTP traffic in a mobile network and process(e.g., parse) the protocol/payloads to extract various information.

Example System Architectures for Implementing Enhanced SignalingSecurity in Mobile Networks for Service Providers

FIG. 4A is a block diagram of a 4G/LTE wireless network with a securityplatform for providing Diameter over SCTP security with next generationfirewall in mobile networks for service providers in accordance withsome embodiments. FIG. 4A is an example service provider networkenvironment for a 4G/LTE EPC network architecture that includes a 4G/LTEnetwork (e.g., and can also include Wired, Wi-Fi, 3G, 5G, and/or othernetworks) to facilitate data communications for subscribers over theInternet and/or other networks. As shown in FIG. 4A, a Home Public LandMobile Network (PLMN) 424 is in communication with a Radio AccessNetwork (RAN) 436 which is in communication via a backhaul (BH) networkwith an Evolved Packet Core (EPC) network 402 to facilitate access to aPacket Data Network (PDN) 438 (e.g., the Internet). As also shown, aVisitor PLMN 426 is in communication with a RAN 432 which is incommunication via a BH network with an EPC network 412 to facilitateaccess to a PDN 434 (e.g., the Internet). As shown, various UserEquipment (UE), such as mobile user devices 428 (e.g., mobile phones,tablets, watches, laptops, and/or other computing devices) and connectedthings 430 (e.g., various IoT devices), can communicate using variouscells in RAN 432.

FIG. 4A shows a network placement of a security platform, shown as a FW404 (e.g., an NGFW or other security platform as similarly describedabove), in EPC 402 for monitoring and decoding Diameter over SCTPtraffic between EPC 402 and EPC 412. Specifically, FW 404 monitorsDiameter over SCTP traffic between a Mobile Management Entity (MME) 414and an Equipment Identity Register (EIR) 406 (e.g., via the S13interface) to facilitate SCTP association and inspect the Diameterpayload as shown at 418, and also monitors Diameter over SCTP trafficbetween MME 414 and Home Subscriber Server (HSS) 408 (e.g., via the Shainterface) to facilitate SCTP association and inspect the Diameterpayload as shown at 420. Similarly, FW 404 monitors Diameter over SCTPtraffic between Visitor Policy Control and Charging Rules Function(V-PCRF) 416 and Home Policy Control and Charging Rules Function(H-PCRF) 410 (e.g., via the S9 interface) to facilitate SCTP associationand inspect the Diameter payload as shown at 422.

For example, various security policies can be enforced by FW 404 basedon parameters/information extracted from such Diameter over SCTP trafficusing the disclosed techniques (e.g., roaming subscribers generally canhave a distinct security policy enforced that is different than asecurity policy enforced for non-roaming subscribers to facilitateenhanced roaming security on service provider networks). In an exampleimplementation, roaming subscribers may have access restricted based onApplication-ID (and/or other packet content inspection determinedinformation, such as Content-ID, User-ID, URL, etc.), and/or variousother security policies can be enforced.

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) and MVNO providers can provide each of these Diameterover SCTP-based security services or combinations thereof as well asvarious other Diameter over SCTP-based services using the disclosedtechniques. Also, mobile service providers can apply the disclosedtechniques to provide such using Diameter over SCTP-based securityservices in combination with various other enhanced security services,such as location based, mobile device identifier based, mobile useridentifier based, and/or combinations thereof, as further describedbelow.

These and other techniques for providing Diameter over SCTP securitywith next generation firewall in mobile networks for service providers(e.g., using various packet content inspection and/or NGFW techniques,such as Application-ID, user ID, content ID, URL filtering, etc.) willbe further described below.

FIG. 4B is a block diagram of a 4G/LTE wireless network with a securityplatform for providing SIGTRAN security with next generation firewall inmobile networks for service providers in accordance with someembodiments. FIG. 4B is an example service provider network environmentfor a 4G/LTE EPC network architecture that includes a 4G/LTE network(e.g., and can also include Wired, Wi-Fi, 3G, 5G, and/or other networks)to facilitate data communications for subscribers over the Internetand/or other networks. As shown in FIG. 4B, a Home PLMN 424 is incommunication with a RAN 436 which is in communication via a BH networkwith a mobile core network, shown as an EPC 450, that includes a ServingGPRS Support Node (SGSN) 442, a Mobile Switching Center (MSC) 444, aHome Location Register (HLR) 446, and a Visitor Location Register (VLR)448. As also shown, a Visitor PLMN 426 is in communication with a GlobalSignaling System No. 7 (SS7) network 452 which is in communication withthe mobile core network. As will be apparent to one of ordinary skill inthe art, various UE, such as mobile user devices (e.g., mobile phones,tablets, watches, laptops, and/or other computing devices) and connectedthings (e.g., various IoT devices), can communicate via Home PLMN 424(e.g., using various cells in RAN 436) or similarly via Visitor PLMN426.

FIG. 4B shows a network placement of a security platform, shown as a FW440 (e.g., a NGFW or other security platform as similarly describedabove), between EPC 450 and Global SS7 Network 452 for monitoring anddecoding SIGTRAN traffic between EPC 450 and Global SS7 Network 452.

For example, various security policies can be enforced by FW 440 basedon parameters/information extracted from such SIGTRAN traffic using thedisclosed techniques (e.g., roaming subscribers generally can have adistinct security policy enforced that is different than a securitypolicy enforced for non-roaming subscribers). In an exampleimplementation, roaming subscribers may have access restricted based onApplication-ID (and/or other packet content inspection determinedinformation, such as Content-ID, User-ID, URL, etc.), and/or variousother security policies can be enforced.

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) and MVNO providers can provide each of these SIGTRANbased security services or combinations thereof as well as various otherSIGTRAN based services using the disclosed techniques. Also, mobileservice providers can apply the disclosed techniques to provide suchusing SIGTRAN based security services in combination with various otherenhanced security services, such as location based, mobile deviceidentifier based, and mobile user identifier based, and/or combinationsthereof, as further described below.

These and other techniques for providing SIGTRAN security with nextgeneration firewall in mobile networks for service providers (e.g.,using various packet content inspection and/or NGFW techniques, such asApplication-ID, user ID, content ID, URL filtering, etc.) will befurther described below.

FIG. 4C is a block diagram of a 4G/LTE wireless network with a securityplatform for providing SCCP security with next generation firewall inmobile networks for service providers in accordance with someembodiments. FIG. 4C is an example service provider network environmentfor a 4G/LTE EPC network architecture that includes a 4G/LTE network(e.g., and can also include Wired, Wi-Fi, 3G, 5G, and/or other networks)to facilitate data communications for subscribers over the Internetand/or other networks. As shown in FIG. 4C, a Home PLMN 424 is incommunication with a RAN 436 which is in communication via a BH networkwith a mobile core network, shown as an EPC 450, that includes an SGSN442, an MSC 444, an HLR 446, and a VLR 448. As also shown, a VisitorPLMN 426 is in communication with a Global SS7 network 452 which is incommunication with the mobile core network. As will be apparent to oneof ordinary skill in the art, various UE, such as mobile user devices(e.g., mobile phones, tablets, watches, laptops, and/or other computingdevices) and connected things (e.g., various IoT devices), cancommunicate via Home PLMN 424 (e.g., using various cells in RAN 436) orsimilarly via Visitor PLMN 426.

FIG. 4C shows a network placement of a security platform, shown as an FW460 (e.g., an NGFW or other security platform as similarly describedabove), between EPC 450 and Global SS7 Network 452 for monitoring anddecoding SCCP traffic between EPC 450 and Global SS7 Network 452.

For example, various security policies can be enforced by FW 460 basedon parameters/information extracted from such SCCP traffic using thedisclosed techniques (e.g., roaming subscribers generally can have adistinct security policy enforced that is different than a securitypolicy enforced for non-roaming subscribers). In an exampleimplementation, roaming subscribers may have access restricted based onApplication-ID (and/or other packet content inspection determinedinformation, such as Content-ID, User-ID, URL, etc.), and/or variousother security policies can be enforced.

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) and MVNO providers can provide each of these SCCP-basedsecurity services or combinations thereof as well as various otherSCCP-based services using the disclosed techniques. Also, mobile serviceproviders can apply the disclosed techniques to provide such usingSCCP-based security services in combination with various other enhancedsecurity services, such as location based, mobile device identifierbased, and mobile user identifier based, and/or combinations thereof, asfurther described below.

These and other techniques for providing SCCP security with nextgeneration firewall in mobile networks for service providers (e.g.,using various packet content inspection and/or NGFW techniques, such asApplication-ID, user ID, content ID, URL filtering, etc.) will befurther described below.

FIG. 4D is a block diagram of a 4G/LTE wireless network with a securityplatform for providing OSI layer 7 signaling security with nextgeneration firewall in mobile networks for service providers inaccordance with some embodiments. FIG. 4D is an example service providernetwork environment for a 4G/LTE EPC network architecture that includesa 4G/LTE network (e.g., and can also include Wired, Wi-Fi, 3G, 5G,and/or other networks) to facilitate data communications for subscribersover the Internet and/or other networks. As shown in FIG. 4D, a HomePLMN 424 is in communication with a RAN 436 which is in communicationvia a BH network with a mobile core network, shown as an EPC 450 thatincludes an SGSN 442, an MSC 444, an HLR 446, and a VLR 448. As alsoshown, a Visitor PLMN 426 is in communication with a Global SS7 network452 which is in communication with the mobile core network. As will beapparent to one of ordinary skill in the art, various UE, such as mobileuser devices (e.g., mobile phones, tablets, watches, laptops, and/orother computing devices) and connected things (e.g., various IoTdevices), can communicate via Home PLMN 424 (e.g., using various cellsin RAN 436) or similarly via Visitor PLMN 426.

FIG. 4D shows a network placement of a security platform, shown as a FW470 (e.g., an NGFW or other security platform as similarly describedabove), between EPC 450 and Global SS7 Network 452 for monitoring anddecoding OSI layer 7 signaling traffic (e.g., CAP/MAP/INAP or other OSIlayer 7 signaling traffic) between EPC 450 and Global SS7 Network 452.

For example, various security policies can be enforced by FW 470 basedon parameters/information extracted from such OSI layer 7 signalingtraffic (e.g., CAP/MAP/INAP or other OSI layer 7 signaling traffic)using the disclosed techniques (e.g., roaming subscribers generally canhave a distinct security policy enforced that is different than asecurity policy enforced for non-roaming subscribers). In an exampleimplementation, roaming subscribers may have access restricted based onApplication-ID (and/or other packet content inspection determinedinformation, such as Content-ID, User-ID, URL, etc.), and/or variousother security policies can be enforced.

As will now be apparent to those of ordinary skill in the art, mobileservice providers (e.g., service providers of mobile networks, serviceproviders of mobile devices or IoTs, security service providers, orother entities that provide devices/services associated with usingmobile networks) can provide each of these OSI layer 7 signaling (e.g.,CAP/MAP/INAP or other OSI layer 7 signaling traffic) based securityservices or combinations thereof as well as various other OSI layer 7signaling based services using the disclosed techniques. Also, mobileservice providers can apply the disclosed techniques to provide suchusing OSI layer 7 signaling based security services in combination withvarious other enhanced security services, such as location based, mobiledevice identifier based, and mobile user identifier based, and/orcombinations thereof, as further described below.

These and other techniques for providing OSI layer 7 signaling securitywith next generation firewall in mobile networks for service providers(e.g., using various packet content inspection and/or NGFW techniques,such as Application-ID, user ID, content ID, URL filtering, etc.) willbe further described below.

FIG. 4E illustrates an example signaling protocol stack. Referring toFIG. 4E, the example signaling layers include CAP, MAP, INAP, TCAP,SCCP, SIGTRAN, Diameter, and SCTP.

FIG. 4F illustrates an example of the SS7 over IP protocol stack.Referring to FIG. 4F, the layer 7/application signaling layers, such asCAP, MAP, and INAP, are also shown.

Example Signaling Attacks that can be Prevented to Provide EnhancedSecurity for Mobile/Service Provider Networks Using a Security Platformfor Security Policy Enforcement

Security Platform Solutions for Example MAP Protocol Vulnerabilities andAttacks

FIG. 5A is an example signaling attack with a MAP message that can beprevented to provide enhanced security for mobile/service providernetworks using a security platform for security policy enforcement inaccordance with some embodiments. In this first example signalingattack, when a MAP anyTimeInterrogation (ATI) message 502 is sent froman unauthorized user/attacker 530 to a subscriber's HLR 514 (e.g., suchan ATI message can query the subscriber's HLR for the subscriber'sCell-ID and IMEI), the ATI message triggers a provideSubscriberInfo(PSI) message 504 that is then sent to a MSC/VLR 516 to which thesubscriber's device 518 is connected/in wireless communication with asshown at paging request message 506. In response, the subscriber'sdevice 518 returns the cell identifier (Cell-ID) of the subscriber withother information as shown at a paging response message 508, and thenMSC/VLR 516 returns a provideSubscriberInfo resp message 510, and HLR514 returns an anyTimeInterrogation resp message 512 as shown.

In this example signaling attack with a MAP message, the unauthorizeduser/attacker can then use the anyTimeInterrogation resp message toacquire the Cell-ID of the subscriber's device. The Cell-ID can then bemapped to an actual location (e.g., to the street level) using publiclyavailable mapping information. As such, this type of signaling attackwith a MAP message can be utilized by the unauthorized user/attacker tomonitor a location of the subscriber with the subscriber's permission orknowledge.

In one embodiment, the disclosed techniques can be performed by asecurity platform to monitor OSI layer 7/application layer signalingtraffic including MAP traffic and to decode the monitored MAP traffic. Asecurity policy can be configured to identify such a signaling attackwith a MAP message and to block/drop the anyTimeInterrogation reqmessage from untrusted/external networks to thereby not allow theunauthorized user/attacker to acquire the Cell-ID of the subscriber'sdevice and prevent the discovery of the subscriber's location as aresult.

FIG. 5B is another example signaling attack with a MAP message that canbe prevented to provide enhanced security for mobile/service providernetworks using a security platform for security policy enforcement inaccordance with some embodiments. In this second example signalingattack, the MSC can be requested by an unauthorized user/attacker toreturn the IMSI if the TMSI is known. The MSC can also be queried forthe session keys for the subscriber. If the unauthorized user/attackercaptures an encrypted GSM or UMTS call, then the unauthorizeduser/attacker can then decrypt it using the session keys.

Referring to FIG. 5B, unauthorized user/attacker 530 first captures thetarget's traffic over the air interface (e.g., which generally involvesthe unauthorized user/attacker being within a certain physical proximityof the target). Next, with access to the SS7 network, the unauthorizeduser/attacker can then send a sendIdentification req message with TMSI540 to MSC/VLR 516 and retrieve the decryption keys for the target'sdevice 518 via a provideSubscriberLocation resp containing session keysmessage 542. These decryption/session keys can be used to decrypt thesubscriber's traffic as discussed above.

In one embodiment, the disclosed techniques can be performed by asecurity platform to monitor OSI layer 7/application layer signalingtraffic including MAP traffic and to decode the monitored MAP traffic. Asecurity policy can be configured to identify such a signaling attackwith a MAP message and to block/drop the sendIdentification req messagefrom untrusted/external networks.

FIG. 5C is another example signaling attack with a MAP message that canbe prevented to provide enhanced security for mobile/service providernetworks using a security platform for security policy enforcement inaccordance with some embodiments. In this third example signalingattack, authentication at a Gateway Mobile Location Center (GMLC) 558can be bypassed by directly querying the VLR. In this example signalingattack, unauthorized user/attacker 530 sends a provideSubscriberLocationreq message 550 to MSC 556 and then receives a provideSubscriberLocationresp message 552 as shown.

In one embodiment, the disclosed techniques can be performed by asecurity platform to monitor OSI layer 7 signaling traffic including MAPtraffic and to decode the monitored MAP traffic. A security policy canbe configured to identify such a signaling attack with a MAP message andto block/drop the provideSubscriberLocation req message fromuntrusted/external networks to prevent this type of signaling attack.

Security Platform Solutions for Example Diameter ProtocolVulnerabilities and Attacks

A signaling flood of authentication messages is a Diameter relatedattack example. A signaling flood of Diameter authentication messagesattack is a signaling related network outage example that can causecongestion problems on a service provider network. Specifically, asignaling flood of Diameter authentication messages can cause acongestion problem related to the number of devices re-authenticatingonto the service provider network's network and that can cause somesubscribers to have their mobile connectivity drop out. For example,Spark Telecom in New Zealand was impacted by a congestion issue due to asignaling flood of Diameter authentication messages, for exampleDiameter Sha Authentication Information Request (AIR) (see, e.g.,https://www. stuff co.nz/business/88869002/Spark-network-outages-reported-around-the-country).In one embodiment, the disclosed techniques for monitoring signalingtraffic (e.g., including Diameter traffic, such as the followingDiameter messages: Diameter Sha ULR (Update Location Request) andDiameter s6a AIR (Authentication Information Request)) are performed toimplement a security policy and perform stateful inspection (e.g.,configure a security policy that can detect and prevent such signalingflood of Diameter authentication messages attacks based onthrottling/threshold limits for such authentication messages, which caninclude throttling per Diameter message type based on three parameters:(a) aggregation criteria per source, destination, source anddestination, and (b) threshold (i.e., number of messages per second andtime interval over which message are counted, during stateful inspectionby the NFGW/security platform).

Security Platform Solutions for Example SS7 Protocol Vulnerabilities andAttacks

Various SS7 related attack examples are well known (e.g., the TelenorSS7 attack in 2016, see, e.g.,https://www.digi.no/artikler/et-ondsinnet-angrep-mot-telenor-ville-hatt-samme-konsekvens/320604(discussing a network wide outage that was due to an SS7 vulnerabilityin the affected Telenor HLR was a network wide outage of over 3 hours onthe Telenor network in Norway in February 2016, which revealed that itwas possible for a well-informed individual to remotely take down anetwork in another country all over the public SS7 network, without anyphysical access to the target network)). In one embodiment, thedisclosed techniques for monitoring signaling traffic (e.g., includingSS7 traffic) are performed to implement a security policy and performstateful inspection (e.g., configure a security policy that can detectand prevent such SS7 attacks based on throttling/threshold limits and/orfiltering of certain messages, which can include throttling per MAPmessage type, such as DeleteSubscriberData, SendIdentification,SendRoutingInfo, and/or other SS7 protocols message types, which can betuned based on three parameters: (a) aggregation criteria per source,destination, source and destination, and (b) threshold (i.e., number ofmessages per second and time interval over which message are counted,during stateful inspection by the NFGW/security platform).

Security Platform Solutions for Example SCCP Protocol Vulnerabilitiesand Attacks

A signaling flood of SCCP messages is an SCCP related attack example(e.g., of various SCCP message types, such as Connection Confirmed,Connection Released). Specifically, a signaling message flood at theSCCP layer can be used by an attacker to overload a signaling point likeSTP, SSP, and SCP and compromise its function, causing a different kindof DoS attack. In one embodiment, the disclosed techniques formonitoring network layer signaling traffic (e.g., including SCCPtraffic) are performed to implement a security policy and performstateful inspection (e.g., configure a security policy that can detectand prevent such signaling message flood at the SCCP layer attacks basedon throttling/threshold limits and/or filtering of certain messages,which can include throttling per SCCP message type, such as ConnectionConfirmed, Connection Released, and/or other SCCP message types, whichcan be tuned based on three parameters: (a) aggregation criteria persource, destination, source and destination, and (b) threshold (i.e.,number of messages per second and time interval over which message arecounted, during stateful inspection by the NFGW/security platform).

As will now be apparent in view of the disclosed embodiments, a networkservice provider/mobile operator (e.g., a cellular service providerentity), MVNO provider, a device manufacturer (e.g., an automobileentity, IoT device entity, and/or other device manufacturer), and/orsystem integrators can specify such security policies that can beenforced by a security platform using the disclosed techniques to solvethese example signaling related security problems and/or other existingor not yet discovered security related problems on service providernetworks (e.g., vulnerabilities and/or attacks utilizing one or more ofthe above-described signaling layers on mobile service providernetworks) and other technical network security challenges.

Example Hardware Components of a Network Device for Performing SecurityPolicy Enforcement on Mobile/Service Provider Network Environments

FIG. 6 is a functional diagram of hardware components of a networkdevice for performing security policy enforcement on mobile/serviceprovider network environments in accordance with some embodiments. Theexample shown is a representation of physical/hardware components thatcan be included in network device 600 (e.g., an appliance, gateway, orserver that can implement the security platform disclosed herein).Specifically, network device 600 includes a high performance multi-coreCPU 602 and RAM 604. Network device 600 also includes a storage 610(e.g., one or more hard disks or solid state storage units), which canbe used to store policy and other configuration information as well assignatures. In one embodiment, storage 610 stores location information,hardware identifier information, subscriber identity information, RATinformation and associated IP addresses, and/or various otherinformation (e.g., Application-ID, Content-ID, User-ID, URL, and/orother information, such as monitored and/or extracted from decodednetwork traffic, such as SCTP, Diameter over SCTP, SIGTRAN, SCCP, and/orlayer 7/application layer signaling traffic, including CAP, MAP, and/orINAP, as similarly described herein) that are monitored for implementingthe disclosed security policy enforcement techniques using a securityplatform/firewall device. Network device 600 can also include one ormore optional hardware accelerators. For example, network device 600 caninclude a cryptographic engine 606 configured to perform encryption anddecryption operations, and one or more FPGAs 608 configured to performsignature matching, act as network processors, and/or perform othertasks.

Example Logical Components of a Network Device for Performing SecurityPolicy Enforcement on Mobile/Service Provider Network Environments

FIG. 7 is a functional diagram of logical components of a network devicefor performing security policy enforcement on mobile/service providernetwork environments in accordance with some embodiments. The exampleshown is a representation of logical components that can be included innetwork device 700 (e.g., a data appliance, which can implement thedisclosed security platform and perform the disclosed techniques). Asshown, network device 700 includes a management plane 702 and a dataplane 704. In one embodiment, the management plane is responsible formanaging user interactions, such as by providing a user interface forconfiguring policies and viewing log data. The data plane is responsiblefor managing data, such as by performing packet processing and sessionhandling.

Suppose a mobile device attempts to access a resource (e.g., a remoteweb site/server, an IoT device, or another resource) using an encryptedsession protocol, such as SSL. Network processor 706 is configured tomonitor packets from the mobile device, and provide the packets to dataplane 704 for processing. Flow 708 identifies the packets as being partof a new session and creates a new session flow. Subsequent packets willbe identified as belonging to the session based on a flow lookup. Ifapplicable, SSL decryption is applied by SSL decryption engine 710 usingvarious techniques as described herein. Otherwise, processing by SSLdecryption engine 710 is omitted. Application identification (ID) module712 is configured to determine what type of traffic the session involvesand to identify a user associated with the traffic flow (e.g., toidentify an Application-ID as described herein). For example,Application ID 712 can recognize a GET request in the received data andconclude that the session requires an HTTP decoder. As another example,Application ID 712 can recognize a Create Session Request or a CreatePDP Request in the received data and conclude that the session requiresa GTP decoder. For each type of protocol (e.g., various signalingprotocols as discussed above, including SCTP, Diameter over SCTP,SIGTRAN, SCCP, and/or layer 7/application layer signaling traffic,including CAP, MAP, and/or INAP, and/or other signaling protocols) thereexists a corresponding decoder 714. In one embodiment, the applicationidentification is performed by an application identification module(e.g., Application ID component/engine), and a user identification isperformed by another component/engine. Based on the determination madeby Application ID 712, the packets are sent to an appropriate decoder714. Decoder 714 is configured to assemble packets (e.g., which may bereceived out of order) into the correct order, perform tokenization, andextract out information. Decoder 714 also performs signature matching todetermine what should happen to the packet. SSL encryption engine 716performs SSL encryption using various techniques as described herein andthe packets are then forwarded using a forward component 718 as shown.As also shown, policies 720 are received and stored in the managementplane 702. In one embodiment, policy enforcement (e.g., policies caninclude one or more rules, which can be specified using domain and/orhost/server names, and rules can apply one or more signatures or othermatching criteria or heuristics, such as for security policy enforcementfor subscriber/IP flows on service provider networks based on variousextracted parameters/information from monitored GTP-C messages and/orpacket content inspection of monitored GTP-U, SCTP, Diameter over SCTP,SIGTRAN, SCCP, and/or layer 7/application layer signaling traffic,including CAP, MAP, and/or INAP traffic as disclosed herein) is appliedas described herein with respect to various embodiments based on themonitored, decrypted, identified, and decoded session traffic flows.

As also shown in FIG. 7 , an interface (I/F) communicator 722 is alsoprovided for security platform manager communications (e.g., via (REST)APIs, messages, or network protocol communications or othercommunication mechanisms). In some cases, network communications ofother network elements on the service provider network are monitoredusing network device 700, and data plane 704 supports decoding of suchcommunications (e.g., network device 700, including I/F communicator 722and decoder 714, can be configured to monitor and/or communicate on, forexample, Gn, Gp, S1-MME, S5, S6a/S6d, S8, X2, S9, S11, S13/S13′, Gr, Gd,Gf, B, C, D, E, and/or other interfaces where wired and wireless networktraffic flow exists as similarly described herein). As such, networkdevice 700 including I/F communicator 722 can be used to implement thedisclosed techniques for security policy enforcement on mobile/serviceprovider network environments as described above and as will be furtherdescribed below.

Additional example processes for the disclosed techniques for monitoringsignaling traffic and performing security policy enforcement onmobile/service provider network environments will now be described.

Example Processes for Transport Layer Signaling Security with NextGeneration Firewall in Mobile Networks for Service Providers

FIG. 8 is a flow diagram of a process for performing transport layersignaling based security in mobile networks for service providers inaccordance with some embodiments. In some embodiments, a process 800 asshown in FIG. 8 is performed by the security platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1A-7 . In one embodiment, process 800 is performed bydata appliance 600 as described above with respect to FIG. 6 , networkdevice 700 as described above with respect to FIG. 7 , a virtualappliance, an SDN security solution, a cloud security service, and/orcombinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 802. At 802, monitoring transport layer signalingtraffic on a service provider network at a security platform isperformed. For example, the security platform (e.g., a firewall, anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies) can monitorSIGTRAN traffic on the mobile core network.

At 804, filtering the transport layer signaling traffic at the securityplatform based on a security policy is performed. For example, thesecurity platform can filter the transport layer signaling trafficprotocol (e.g., SIGTRAN protocol) and a higher layer signaling protocol(e.g., SCCP protocol) based on the security policy.

At 806, state and packet validation of a lower layer signaling protocolis performed based on the security policy. For example, the securityplatform can perform state and packet validation of the underlying SCTPprotocol per payload protocol identifier (PPID) and source/destinationIP addresses while filtering SIGTRAN protocol messages.

In one embodiment, the security platform performs filtering of anySIGTRAN protocol messages while performing state and packet validationof the underlying SCTP protocol per PPID and source/destination or bothIP/IPs. For example, the security platform can filter M3UA protocolmessages while performing state and packet validation of the underlyingSCTP protocol per PPID and source/destination IP addresses (IPs). Asanother example, the security platform can filter M2UA protocol messageswhile performing state and packet validation of the underlying SCTPprotocol per PPID and source/destination IPs. As another example, thesecurity platform can filter SUA protocol messages while performingstate and packet validation of the underlying SCTP protocol per PPID andsource/destination IPs. As another example, the security platform canfilter M2PA protocol messages while performing state and packetvalidation of the underlying SCTP protocol per PPID andsource/destination IPs.

At 808, enforcing the security policy using the security platform isperformed. For example, various enforcement actions (e.g., allow/pass,block/drop, alert, tag, monitor, log, throttle, restrict access, and/orother enforcement actions) can be performed using the security platformas similarly described above. For example, the security platform canblock a message filtered in the transport layer signaling traffic or ahigher layer of signaling traffic based on the security policy.

In an example implementation, the security platform can extractadaptation layer information from the PPID field in the SCTP data chunkreceived for the firewall sessions that are installed for the SCTPprotocol. These firewall sessions are related to successful SCTPassociations that completed a 4-way handshake and other packet levelchecks. PPID are allotted by IANA (e.g., specified athttps://www.iana.org/assignments/sctp-parameters/sctp-parameters.xhtml).PPID information can be used by the security platform to apply afiltering mechanism and rate limiting mechanisms to facilitate enhancedsignaling security on mobile service provider networks.

In one embodiment, the security platform performs rate limiting of anySIGTRAN protocol messages with aggregation criteria of source,destination, or source and destination IP/IPs, time interval in secondsand threshold/number of hits while performing state and packetvalidation of the underlying SCTP protocol. For example, the securityplatform can perform rate limiting of M3UA protocol messages withaggregation criteria of source, destination, or source and destinationIP/IPs, time interval in seconds and threshold/number of hits whileperforming state and packet validation of the underlying SCTP protocol.As another example, the security platform can perform rate limiting ofM2UA protocol messages with aggregation criteria of source, destination,or source and destination IP/IPs, time interval in seconds andthreshold/number of hits while performing state and packet validation ofthe underlying SCTP protocol. As another example, the security platformcan perform rate limiting M2PA protocol messages with aggregationcriteria of source, destination, or source and destination IP/IPs, timeinterval in seconds and threshold/number of hits while performing stateand packet validation of the underlying SCTP protocol. As anotherexample, the security platform can perform rate limiting of SUA protocolmessages with aggregation criteria of source, destination, or source anddestination IP/IPs, time interval in seconds and threshold/number ofhits while performing state and packet validation of the underlying SCTPprotocol.

Example Processes for Application Layer Signaling Security with NextGeneration Firewall in Mobile Networks for Service Providers

FIG. 9 is a flow diagram of a process for performing application layersignaling based security in mobile networks for service providers inaccordance with some embodiments. In some embodiments, a process 900 asshown in FIG. 9 is performed by the security platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1A-7 . In one embodiment, process 900 is performed bydata appliance 600 as described above with respect to FIG. 6 , networkdevice 700 as described above with respect to FIG. 7 , a virtualappliance, an SDN security solution, a cloud security service, and/orcombinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 902. At 902, monitoring application layersignaling traffic on a service provider network at a security platformis performed. For example, the security platform (e.g., a firewall, anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies) can monitor MAP,CAP, and/or INAP traffic on the mobile core network.

At 904, filtering the application layer signaling traffic at thesecurity platform based on a security policy is performed. For example,the security platform can filter the application layer signaling trafficprotocol (e.g., MAP, CAP, and/or INAP protocol) and a lower layersignaling protocol (e.g., SCCP protocol) based on the security policy.

At 906, state and packet validation of a lower layer signaling protocolis performed based on the security policy. For example, the securityplatform can perform state and packet validation of the underlying SCTPprotocol while filtering MAP, CAP, or INAP protocol messages (e.g., orother layer-7/application layer messages).

In one embodiment, the security platform performs state and packetvalidation of the underlying SCTP protocol while filtering MAP, CAP, orINAP protocol messages. For example, the security platform can performstate and packet validation of the underlying SCTP protocol whilefiltering MAP, CAP, or INAP protocol messages per subsystem number (SSN)and source/destination IP addresses (IPs). As another example, thesecurity platform can perform state and packet validation of theunderlying SCTP protocol while filtering MAP, CAP, or INAP protocolmessages per SSN, Global Title (GT), and IPs. As another example, thesecurity platform can perform state and packet validation of theunderlying SCTP protocol while filtering MAP, CAP, or INAP protocolmessages per SSN, GT, opcode, and IPs.

At 908, enforcing the security policy using the security platform isperformed. For example, various enforcement actions (e.g., allow/pass,block/drop, alert, tag, monitor, log, throttle, restrict access, and/orother enforcement actions) can be performed using the security platformas similarly described above. For example, the security platform canblock a message filtered in the application layer signaling traffic or alower layer of signaling traffic based on the security policy.

In one embodiment, the security platform performs rate limiting of anyOSI layer 7/application layer signaling protocol(s) messages (e.g., MAP,CAP, or INAP) with aggregation criteria of source, destination, orsource and destination IP/IPs, time interval in seconds andthreshold/number of hits while performing state and packet validation ofthe underlying SCTP protocol. For example, the security platform canperform rate limiting of any OSI layer 7 signaling protocol(s) messages(e.g., MAP, CAP, or INAP) per opcode (e.g., when applicable) withaggregation criteria of source, destination, or source and destinationIP/IPs, time interval in seconds and threshold/number of hits whileperforming state and packet validation of the underlying SCTP protocol.

Example Processes for Network Layer Signaling Security with NextGeneration Firewall in Mobile Networks for Service Providers

FIG. 10 is a flow diagram of a process for performing network layersignaling based security in mobile networks for service providers inaccordance with some embodiments. In some embodiments, a process 1000 asshown in FIG. 10 is performed by the security platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1A-7 . In one embodiment, process 1000 is performed bydata appliance 600 as described above with respect to FIG. 6 , networkdevice 700 as described above with respect to FIG. 7 , a virtualappliance, an SDN security solution, a cloud security service, and/orcombinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 1002. At 1002, monitoring network layer signalingtraffic on a service provider network at a security platform isperformed. For example, the security platform (e.g., a firewall, anetwork sensor acting on behalf of the firewall, or anotherdevice/component that can implement security policies) can monitor SCCPtraffic on the mobile core network.

At 1004, filtering the network layer signaling protocol traffic at thesecurity platform based on a security policy is performed. For example,the security platform can filter the SCCP protocol and a lower layersignaling protocol (e.g., SCTP protocol) or a higher layer of signalingtraffic (e.g., MAP, CAP, or INAP, or other layer-7/application layermessages) based on the security policy.

At 1006, state and packet validation of a lower layer signaling protocolis performed based on the security policy. For example, the securityplatform can perform state and packet validation of the underlying SCTPprotocol while filtering the SCCP protocol traffic.

In one embodiment, the security platform performs state and packetvalidation of the underlying SCTP protocol while filtering the SCCPprotocol traffic. For example, the security platform can perform stateand packet validation of the underlying SCTP protocol while filteringthe SCCP protocol traffic per source/destination IP addresses (IPs). Asanother example, the security platform can perform state and packetvalidation of the underlying SCTP protocol while filtering the SCCPprotocol traffic per GT and source/destination IPs.

At 1008, enforcing the security policy using the security platform isperformed. For example, various enforcement actions (e.g., allow/pass,block/drop, alert, tag, monitor, log, throttle, restrict access, and/orother enforcement actions) can be performed using the security platformas similarly described above. For example, the security platform canblock a message filtered in the SCCP protocol traffic or a lower/higherlayer of signaling traffic based on the security policy.

In one embodiment, the security platform performs rate limiting of anySCCP messages with aggregation criteria of source, destination, orsource and destination IP/IPs, time interval in seconds andthreshold/number of hits while performing state and packet validation ofthe underlying SCTP protocol.

Example Processes for Diameter over SCTP Security with Next GenerationFirewall in Mobile Networks for Service Providers

FIG. 11 is a flow diagram of a process for performing Diameter overSCTP-based security in mobile networks for service providers inaccordance with some embodiments. In some embodiments, a process 1100 asshown in FIG. 11 is performed by the security platform and techniques assimilarly described above including the embodiments described above withrespect to FIGS. 1A-7 . In one embodiment, process 1100 is performed bydata appliance 600 as described above with respect to FIG. 6 , networkdevice 700 as described above with respect to FIG. 7 , a virtualappliance, an SDN security solution, a cloud security service, and/orcombinations or hybrid implementations of the aforementioned asdescribed herein.

The process begins at 1102. At 1102, monitoring Diameter protocoltraffic (e.g., the Diameter protocol refers to an Authentication,Authorization, and Accounting (AAA) protocol, and Diameter applicationssuch as S6a/S6d, S9, Gx extend the functionality of Diameter baseprotocol for mobile network specific use cases) on a service providernetwork at a security platform is performed. For example, the securityplatform (e.g., a firewall, a network sensor acting on behalf of thefirewall, or another device/component that can implement securitypolicies) can monitor Diameter traffic on the mobile core network.

At 1104, filtering the Diameter protocol traffic at the securityplatform based on a security policy is performed. For example, thesecurity platform can filter the Diameter protocol and a lower layersignaling protocol (e.g., SCTP protocol) based on the security policy.

At 1106, state and packet validation of a lower layer signaling protocolis performed based on the security policy. For example, the securityplatform can perform state and packet validation of the underlying SCTPprotocol while filtering the Diameter protocol traffic.

In one embodiment, the security platform performs state and packetvalidation of the underlying SCTP protocol while filtering the Diameterprotocol traffic. For example, the security platform can perform stateand packet validation of the underlying SCTP protocol while filteringthe Diameter protocol traffic per source/destination IP addresses (IPs).As another example, the security platform can perform state and packetvalidation of the underlying SCTP protocol while filtering the Diameterprotocol traffic per Application-ID and source/destination IPs. Asanother example, the security platform can perform state and packetvalidation of the underlying SCTP protocol while filtering the Diameterprotocol traffic per Application ID, Command Code, andsource/destination IPs. As another example, the security platform canperform state and packet validation of the underlying SCTP protocolwhile filtering the Diameter protocol traffic per Application ID,Command Code, AVP, and source/destination IPs.

At 1108, enforcing the security policy using the security platform isperformed. For example, various enforcement actions (e.g., allow/pass,block/drop, alert, tag, monitor, log, throttle, restrict access, and/orother enforcement actions) can be performed using the security platformas similarly described above. For example, the security platform canblock a message filtered in the Diameter protocol traffic or alower/higher layer of signaling traffic based on the security policy.

In one embodiment, the security platform performs rate limiting of anyDiameter messages with aggregation criteria of source, destination, orsource and destination IP/IPs, time interval in seconds andthreshold/number of hits while performing state and packet validation ofthe underlying SCTP protocol. For example, the security platform canperform rate limiting of any Diameter messages per Application ID withaggregation criteria of source, destination, or source and destinationIP/IPs, time interval in seconds and threshold/number of hits whileperforming state and packet validation of the underlying SCTP protocol.As another example, the security platform can perform rate limiting ofany Diameter messages per Command Code with aggregation criteria ofsource, destination, or source and destination IP/IPs, time interval inseconds and threshold/number of hits while performing state and packetvalidation of the underlying SCTP protocol. As another example, thesecurity platform can perform rate limiting of any Diameter messages perAVP with aggregation criteria of source, destination, or source anddestination IP/IPs, time interval in seconds and threshold/number ofhits while performing state and packet validation of the underlying SCTPprotocol.

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

What is claimed is:
 1. A system, comprising: a processor configured to:monitor transport layer signaling traffic on a service provider networkat a security platform; block a message filtered in the transport layersignaling traffic at the security platform based on a security policy,wherein a transport layer signaling protocol is a signaling transport(SIGTRAN) protocol, and perform state and packet validation of a StreamControl Transport Protocol (SCTP) protocol per payload protocolidentifier (PPID) and source/destination IP addresses while performingfiltering of SIGTRAN protocol messages; and a memory coupled to theprocessor and configured to provide the processor with instructions. 2.The system recited in claim 1, wherein the processor is furtherconfigured to perform security policy enforcement based on the SIGTRANprotocol.
 3. The system recited in claim 1, wherein the processor isfurther configured to perform state and packet validation of a lowerlayer signaling protocol based on the security policy.
 4. The systemrecited in claim 1, wherein the processor is further configured to blocka message filtered in a higher layer of signaling traffic based on thesecurity policy.
 5. The system recited in claim 1, wherein the processoris further configured to perform rate limiting of messages in thetransport layer signaling traffic at the security platform based on thesecurity policy.
 6. The system recited in claim 1, wherein the processoris further configured to perform rate limiting of SIGTRAN protocolmessages with aggregation criteria of source, destination, or source anddestination IP/IPs, time interval in seconds and threshold/number ofhits while performing state and packet validation of the underlying SCTPprotocol.
 7. The system recited in claim 1, wherein the processor isfurther configured to perform rate limiting of SIGTRAN protocol messageswith aggregation criteria of source, destination, or source anddestination IP/IPs, time interval in seconds and threshold/number ofhits while performing state and packet validation of the underlying SCTPprotocol, wherein the SIGTRAN protocol messages include one or more ofthe following: M2UA protocol messages, M3UA protocol messages, M2PAprotocol messages, and SUA protocol messages.
 8. The system recited inclaim 1, wherein the processor is further configured to perform ratelimiting of SIGTRAN protocol messages with aggregation criteria ofsource, destination, or source and destination IP/IPs, time interval inseconds and threshold/number of hits while performing state and packetvalidation of the underlying SCTP protocol, wherein the SIGTRAN protocolmessages include two or more of the following: M2UA protocol messages,M3UA protocol messages, M2PA protocol messages, and SUA protocolmessages.
 9. The system recited in claim 1, wherein the processor isfurther configured to perform threat prevention based on a transportlayer signaling protocol.
 10. The system recited in claim 1, wherein thesecurity platform monitors wireless interfaces including a plurality ofinterfaces for a transport layer signaling protocol and user datatraffic in a mobile core network for a 3G and/or 4G network.
 11. Amethod, comprising: monitoring transport layer signaling traffic on aservice provider network at a security platform; and blocking a messagefiltered in the transport layer signaling traffic at the securityplatform based on a security policy, wherein a transport layer signalingprotocol is a signaling transport (SIGTRAN) protocol, and perform stateand packet validation of a Stream Control Transport Protocol (SCTP)protocol per payload protocol identifier (PPID) and source/destinationIP addresses while performing filtering of SIGTRAN protocol messages.12. The method of claim 11, wherein the method further comprisesperforming security policy enforcement based on the SIGTRAN protocol.13. The method of claim 11, wherein the method further comprisesperforming state and packet validation of a lower layer signalingprotocol based on the security policy.
 14. The method of claim 11,wherein the method further comprises blocking a message filtered in ahigher layer of signaling traffic based on the security policy.
 15. Themethod of claim 11, wherein the method further comprises performing ratelimiting of messages in the transport layer signaling traffic at thesecurity platform based on the security policy.
 16. The method of claim11, wherein the method further comprises performing rate limiting ofSIGTRAN protocol messages with aggregation criteria of source,destination, or source and destination IP/IPs, time interval in secondsand threshold/number of hits while performing state and packetvalidation of the underlying SCTP protocol.
 17. The method of claim 11,wherein the method further comprises performing rate limiting of SIGTRANprotocol messages with aggregation criteria of source, destination, orsource and destination IP/IPs, time interval in seconds andthreshold/number of hits while performing state and packet validation ofthe underlying SCTP protocol, wherein the SIGTRAN protocol messagesinclude one or more of the following: M2UA protocol messages, M3UAprotocol messages, M2PA protocol messages, and SUA protocol messages.18. A computer program product, the computer program product beingembodied in a non-transitory computer readable storage medium andcomprising computer instructions for: monitoring transport layersignaling traffic on a service provider network at a security platform;and blocking a message filtered in the transport layer signaling trafficat the security platform based on a security policy, wherein a transportlayer signaling protocol is a signaling transport (SIGTRAN) protocol,and perform state and packet validation of a Stream Control TransportProtocol (SCTP) protocol per payload protocol identifier (PPID) andsource/destination IP addresses while performing filtering of SIGTRANprotocol messages.
 19. The computer program product recited in claim 18,wherein the computer program product further comprises computerinstructions for blocking a message filtered in a higher layer ofsignaling traffic based on the security policy.
 20. The computer programproduct recited in claim 18, wherein the computer program productfurther comprises computer instructions for performing rate limiting ofmessages in the transport layer signaling traffic at the securityplatform based on the security policy.